On Sun, 18 Feb 2024, 05:29 Owen DeLong via NANOG, <nanog@nanog.org> wrote:
Most firewalls are default deny. Routers are default allow unless you put a filter on the interface.
This is not relevant though. NAT when doing port overloading, as is the case for most CPE, is not default-deny or default-allow. The OS processes the packet just like normal and sends an ICMP back unless there is another firewall that says drop. NAPT adds temporary rewrite rules for each flow that goes outbound. NAT adds nothing to security (Bill and I agree to disagree on this), but at
best, it complicates the audit trail.
It absolutely does add something. Whether that something is valuable or not depends on your vantage point, and I'd say it's better than nothing, but there are better solutions available. M